Secure Software Manager

We introduced additional controls for release windows. These new controls adhere to the principle of reproduceable builds by comparing code between releases. This provides customers with the ability to prevent malware from being injected during the build process, helping customers prevent SolarWinds-like events.

Account admins can compare several previously completed releases to confirm that the build process was consistently reproduced by a quorum of users. Then, they can create a baseline from matching releases. This baseline acts as a control to ensure that applications requested for signing during the production release are an exact match to the applications signed in the baseline chosen by the admin. If any applications differ from those in the baseline, the release window is immediately closed and further signing is blocked. This allows users to investigate the root cause.

These new capabilities work in conjunction with test, online, and offline production key release workflows, complementing the controls in place based on key access and availability.

SMCTL sign functionality supports digest and signature algorithm mapping in a consistent way, translating and sanitizing these commands so the signing tools receive digest and signature variable inputs in the expected format per tool.

SMCTL sign now includes support for:

We extended support for the new release workflows to the SMCTL. Users can compare releases, view release comparisons, and create releases with baselines all via the CLI.